CVE-2024-56310

Name of the Vulnerable Software and Affected Versions REDCap versions 14.9.6 and earlier REDCap versions up to 15.0.0

Description The issue stems from the absence of Cross-Site Request Forgery (CSRF) protections on the logout functionality in the Project Dashboards name, allowing malicious actions to be executed without user consent. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains a malicious payload, which triggers a logout request and terminates their session.

Recommendations For REDCap versions 14.9.6 and earlier, consider disabling the logout functionality until a patch is available. For REDCap versions up to 15.0.0, restrict access to the Project Dashboards name to minimize the risk of exploitation. As a temporary workaround, avoid clicking on suspicious Project Dashboards names until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.